Getting Data In
Highlighted

simple filter question: eliminate the successes to focus on other events

Explorer

Every day I do a search that searches this:

I know how to filter for a specific event so, for example, I always run this:

source=wineventlog:* earliest_time=-24h

And every day I get about 25,000 hits, 24,000 of which are of this type:

source=wineventlog:* earliest_time=-24h "Type=Success"

I'd like to filter out the 24,000 successes and instead show me the 1,000 events that are not of "Type=Success" How can I do that?

Tags (3)
0 Karma
Highlighted

Re: simple filter question: eliminate the successes to focus on other events

Splunk Employee
Splunk Employee

This is an easy one
source=wineventlog:* earliest_time=-24h NOT "Type=Success"

0 Karma
Highlighted

Re: simple filter question: eliminate the successes to focus on other events

Explorer

I figured it would be easy but I was clueless. Thanks, emotz!

0 Karma
Highlighted

Re: simple filter question: eliminate the successes to focus on other events

Legend

I don't get what's with all double posting of questions lately. How is this different from http://splunk-base.splunk.com/answers/62964/how-to-filter-by-does-not-equal ?